Timing attacks against API authorization checks

siv-org / siv

Secure Internet Voting protocol

https://siv.org

Other

12 stars 6 forks source link

Timing attacks against API authorization checks #62

Open dsernst opened 2 years ago

dsernst commented 2 years ago

Important that the API uses constant time checks (bitwise XOR) for checking credentials, to protect against timing attacks

Relevant spots to cover:

[ ] Checking admin JWTs
[ ] Checking admin login code
[ ] Checking observer auth token in GET /latest and POST /update
[ ] Checking voter auth token in POST /submit-vote & GET /is-auth-valid

dsernst commented 2 years ago

Best would be to first write failing tests, that attempt to exploit timing attacks

dsernst commented 1 month ago

Related to https://github.com/siv-org/siv/issues/160, bc timing attacks are a specific subset of brute forcing attacks, far quicker to carry out if vulnerable. (eg 16 * 10 attempts vs 16 ^ 10)